Introduction
In the last few months, reports of cyberattacks on companies in Europe and beyond have risen. These attacks can cause tremendous damage to affected businesses, especially when services are disrupted or when trade secrets or sensitive employee, supplier or customer data are exfiltrated by cybercriminals who threaten to publish them. This raises companies’ financial exposure due to the increased risk of fines, employment or civil litigation and, in some jurisdictions, class actions.
Lately, so-called double extortion ransomware attacks have become popular among threat actor groups, during which they encrypt the data on victims' servers and threaten to publish exfiltrated data on the ‘dark web’.
During network infiltration, attackers typically leave a ransom note requesting a payment in cryptocurrency, on receipt of which they ‘promise’ to decrypt systems and refrain from publishing any data. The deadline is usually imminent, putting companies in a predicament - to pay or not to pay? While management are often reluctant to support criminal activity by conceding to attackers’ demands, they still find themselves in a difficult position. Will the payment surely end the attack and remedy damages caused?
When it comes to the question of whether to pay, any decision taken by management should be made in full awareness of the practical, financial and legal risks. The following considerations are important when making such a decision.
Data protection risks and requirements
Ransomware attacks on IT systems typically endanger both the availability and confidentiality of personal data, thus constituting a ‘breach of data security’ under data protection laws in many jurisdictions. Data protection authorities must be notified of such a breach, usually without delay.
The company may also be required to inform individuals, such as customers or employees, whose personal data are affected by the breach of any potential consequences. In some jurisdictions (such as the EU or UK) the question of whether a company must inform individuals or not depends on various risk factors, including the sensitivity of affected data, and the likelihood and severity of potential harm from the breach. Any decision in this regard should be based on a solid risk assessment considering the results of a prior review of the data potentially exfiltrated by the attackers.
Informing affected data subjects individually, however, carries the risk that some of them may raise civil claims and seek damages. They may argue, for example, that sufficient protective measures were not in place prior to the breach or that the breach was not handled diligently.
In this context, whether a company has paid a ransom or not – and consequently whether the attackers promised not to publish any of the exfiltrated data – is not typically considered a risk-mitigating factor by authorities or courts. Instead, to reduce the risk of investigations and potential fine proceedings by authorities, companies should concentrate on setting up a comprehensive remediation plan to ensure that any vulnerabilities in their IT security concept are properly addressed at short notice. Paying the ransom does not count as a protective measure, nor is it likely to persuade authorities that the remediation activities taken were sufficient.
Considerations on criminal law and sanctions
These days, there is some discussion between legal experts on whether ransom payments may be illegal. While in the UK and US the support of ‘terrorist organisations’ is prohibited, in German law there is also a wider prohibition on supporting so-called ‘criminal organisations’ (Section 129 of the German Criminal Code). There is no precedence as, so far, law enforcement authorities have no appetite to investigate and prosecute ransom payment cases. In addition, there are strong defense arguments in such cases, particularly regarding lack of intent. Thus, the risk of prosecution is considered low. Nevertheless, authorities' practices could change in the future, so legal uncertainty remains regarding the permissibility of ransom payments under criminal law. Additionally, governments and regulatory authorities highly discourage companies from making payments in cyber-attack cases. Therefore, trying to discover the identity of the attackers and involving law enforcement are integral to assessing and reducing the related risks.
Moreover, as recent attacks have shown, hacker groups could have ties to sanctions-sensitive or even sanctioned countries and/or individuals/entities on sanctions lists. Therefore, there is a risk that ransom payments may be made available to – or at least for the benefit of – sanctioned persons.
Such direct or indirect payments to a sanctioned person or entity would constitute a breach of EU/UK/US (and potentially other Western) sanctions. Sanctions breaches can lead to significant administrative fines and even criminal liability for the attacked entity making the payment (as well as involved individuals).
Against this backdrop, comprehensive sanctions due diligence on identifiable parties (which is often difficult in ransomware attacks) and crypto wallets is essential before considering whether or not to make a payment.
Best practice when considering ransom payments
As can be seen from the above, decisions on paying ransoms after a cyberattack can have significant consequences for companies and thus require a diligent assessment of the associated risks. Additionally, there is no certainty that systems and data will be decrypted or kept private after the payment is made. Nevertheless, if a crypto-payment is considered as a last resort, the following points should be considered to reduce exposure and liability:
- involve forensic experts who have expertise with ransom payments. These experts can not only support the analysis and recovery, but also provide helpful insights on the approach of the attackers and their likely identity;
- involve legal experts and competent authorities to tackle risks and assess corporate, data protection, criminal and sanction law. This allows decisions on ransom payments to be made based on the actual and legal risks; and
- involve law enforcement agencies at an early stage in a transparent and cooperative manner, and coordinate an approach towards the attackers to reduce the risk of investigation or prosecution.